Ask us anything: Security awareness, behavior and culture (part 1)

[00:00:00] CS: Welcome to today's episode of the Cyber Work with Infosec podcast. For 12 days in November, Cyber Work is premiering a new episode every single day. In these dozen episodes we'll discuss hiring best practices, career strategies, team development and the importance of storytelling in cyber security. Today's episode is titled Security Awareness Behavior and Culture: Ask Us Anything, and it happened at this year's Infosec Inspire Conference back in September. Keynote speaker Jinan Budge, principal security and risk analyst at Forrester; and Bruce Hallas of the Rethinking the Human Factor podcast took questions from our virtual audience including: Where to focus your time and budget in educating your staff at times other than security awareness month? Picking employees to be security champions, and maturing your organization's security culture.

We hope you enjoy this 30-minute ask us anything between Jinan and Bruce, along with moderator Kristin Zurovitch. If you want to learn cyber security or move up the ladder in your career, we're giving all Cyber Work listeners a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills. Infosec skills is aligned to the work roles, knowledge and skill statements in the NICE workforce framework and can help you at any stage of your career. Be sure to use the code cyberwork when signing up. More details can be found in the description for this episode. Catch new episodes of Cyber Work every Monday at 1PM Central Time on our YouTube channel for video or on audio wherever you like to get your podcasts. And now let's start the show.

[00:01:37] KM: We'll just get started and jump right in. This is a question that actually came in during your keynote, Jinan. This is from Emmanuel and he's asking one of my team's priorities for the next year and beyond is maturing our organization's security culture. There's been a lot of discussion about how to measure culture and changes to it. What are you seeing as the strongest indicators of culture change and how do organizations like mine report progress on culture to, for example, an executive team?

[00:02:10] JB: Okay. First of all, Emmanuel, congratulations for getting to a point where you are considering measuring your culture. I think that's such a significant point to get to in an organization to measure the security culture. I know I've just listened to Bruce's amazing session and I know he had some perspectives on definitions of culture. And I'm sure, Bruce, you'll be able to share with us definitions as well as measurements. From my perspective, I want to talk about some of the more practical elements of measuring the culture, some of the trends that I'm seeing. I'm definitely seeing a lot of trends in cultural assessments on the market. These are tools that are currently being deployed to measure culture. There are tools that are being used to measure behavior and all really exciting. Again, I'm thrilled to see us move away from that measuring how many people have completed their security awareness training course or how many people liked it. What is that actually giving us? I wasn't really quite sure. But I think there's been an evolution. So really happy to see that we're starting to measure behavior.

But again, if I move on to – And I just want to share a personal example, and it was from a particular organization and a particular transformation that I went to conduct at that particular organization. And I remember when I first walked through the door, this wasn't just a cultural project, it was the entire cyber security program. And I remember going in and no one wanted to know about security. No one. We would have meetings and I would walk into a room and people would literally either laugh and they'll go, “Ha! Ha! Cyber. Cyber. What is this thing?” Or they'll start making gun gestures or they just thought the whole thing was hilarious.

As we started building our brand, building the culture, socializing with stakeholders, it was so interesting how much it changed and it got to a point after one and a half years where I'd walk into a meeting room and people would have a cyber safety moment. And I loved that. It was such an intangible thing. It was certainly something that we never intended to measure, but to me it was such a strong indicator of what a cultural journey that we had all been on this subject of cyber security. And some other ways, if you do want to get specific about this, I think one way you can see if you've changed the dial, you can have a look at things such as how often is your CISO being invited to present at board meetings. How often is this security team being engaged? How engaged is your organization with you about the topic of security?

For me, without getting into um definitional topics, I just think some of these less tangible things are so telling of how far you've come in a year's time. I know it's challenging, because I know that boards and executives, they challenge you and they see other organizations saying how many phishing attempts you've blocked, etc., etc. So you do have to give them whatever it is that's on their mind and demonstrate that, but also just keep on thinking the bigger picture and aim high on that one.

[00:05:47] KZ: That's fantastic. Bruce, how about from the research that you've conducted? What are you seeing as some of the trends there in not only defining culture and determining culture, but how are people going about, I guess, tracking their progress in that change on the cultural spectrum?

[00:06:06] BH: I think it's really interesting. Emmanuel's question was about he was on this path of sort of measuring the progress in terms of the maturity of security culture. And when people talk about measuring maturity, that suggests that they've already defined where the end goal is. So how we're maturing towards our goal? See that they have a goal or they're working to somebody else's goal. Now I think this is a really interesting point because in no court of law is using somebody else's definition of culture, awareness or behavior an excuse. As somebody who trained indoor, I'll tell you this, when things go wrong, the court's not looking for you to say, “Well, we did what the others did.” That's not defendable. Actually what is defendable is, “Well, when you say to us, culture, this is what we as an organization – How we defined it.”

And not only do you that once you've defined something, then you can look at the lining. Everything you do strategy-wise and operational-wise to actually achieving that definition. I think the interesting point is that when you actually go through that definition, it then throws up the opportunity to look at metrics in a somewhat different way. And definitely a different range of metrics to a lot of the metrics that we see being reported day-in, day-out around security culture. So for me, Emmanuel, the real thing is if you've got an end goal that everybody has signed up to in terms of what you mean by culture, that is the starting point. So your maturity should be measured against that and then you have a plan for it being able to argue, “Okay, this is how we were going to achieve that definition.”

And there are many many ways that you can do that. I think one of the most interesting pieces of work that I did as part of my research was actually understanding how cultures, not organizational cultures, but how national cultures, how group cultures, how other type of cultures, how they are formed and influenced. And the thing that comes out from it very quickly is that there are formal structures for communicating and embedding culture within all of us and then our informal structures. And you can think about formal structures as being things like, for example, when we go to school. So the schools that we go to are actually embedding in us the values that are considered norms within the society that we're in.

So in the US there are acceptable norms and those norms are communicated to people, embedded through to people through school, for example. We don't think of school. We think of school as educating us about how to do maths and how to do geography and history and computer studies, but actually one of the core parts of any part of school is about embedding the national values in its students. And then we leave school and we go to maybe – We go to university or a college. Again, it's about the same thing. And then maybe we go into the IT community or information security, we’d become a lawyer, a doctor, an accountant. All these are formal structures for basically embedding values in us.

And then we have the informal side of things. Sorry. Just go back. So that formal structure could – If you think about it that could be your education and awareness program. That's your formal approach to try and embed culture. And organizations have been doing this for years. There’re all the visionary statements that get put up on the walls and the posters and then put into emails, into workshops, etc. Then you have the informal approach to culture. Now actually that starts the day you're born, okay? When you're born, you suddenly get exposed to mom, dad and to a number of other people. And our early formative years, they're all about actually engaging with the cultural norms, which are shared to us through our parents, and then our grandparents, and maybe our brothers and sisters.

As we sort of progress through life we start moving away from parents and we start associating with groups at school. And actually a lot of what we're learning at school isn't just through that structured teachers, head teacher type thing. It's about our friends that we make. It's about the people we don't get on. With an understanding about why we don't get on with them. And the thing for me about culture, you look at how cultures are formed, this structured formal path and this unstructured informal path and actually there's some similarities with the challenges we face and the opportunities we have within organizations around security are stark. They really are really very, very, very clear.

And for me it provides a beautiful blueprint for trying to look at culture from a genuine authentic way rather than a this is what you need to do type of approach. And I think if something goes wrong and you want to be able to demonstrate,” Look, we really did take this seriously. We really set an objective of trying to get a culture where security is truly valued.” Then having a genuine and authentic approach, rather than this is what everybody else is doing. I think it's a winner. I really, really believe it's winner.

[00:11:35] JB: Yeah. I agree. And Bruce, if i may chime in on that one, I love that concept of informal cultures. The things that you don't know that impact you. So I'm going to give you an example related to security. Some of you might know or you might not know, it doesn't matter, but one of the things that we created at Forester back in 2010 was the Zero Trust Model for security, and that's been a hit around the world particularly in North America to start with. As you can tell by the accent, I'm in Sydney, in the Asia Pacific region, and it's kind of – Zero trust for us is crawling into our business security business nomenclature here. And I've been conducting research on that this quarter and it's about to be released soon. It's very exciting. But one of the big challenges to adoption that we've had in region is the word zero in Zero Trust, because as has been communicated to me by many of the CISO I've spoken to in my region, trust is really important in many Asian cultures. They are founded on trust. So when they hear the word zero next to trust, it kind of puts people off.

And for us to ignore this as practitioners, as vendors, as research organizations, it’s like we're shooting ourselves in the foot. So I think understanding some of those nuances and understanding your own organization's culture. The example I gave you. We talked about cyber safety moments at work. This was an engineering organization. So safety, physical safety was really important to them. So we kind of went in parallel with the safety moments that they had at the beginning of every meeting. So super important what one of the things that Bruce said, is to be aware of the cultural context around you.

[00:13:32] BH: I mean I think, and I would expand on that further, because I think when you understand how behaviors are formed and influenced, I was having a chat on my podcast with the gentleman by the name of Dan Ariely, who's a pretty well-known behavioral psychologist. And he was talking about the role of values in terms of decision making, judgments, decision making, and we were sort of alluding to the fact that these are values which are often come through the cultural experience. And a lot of what we talk about, we talk about security culture, I mean the first thing is I would genuinely say to people, “Do you want security control or do you want security as part of your organizational culture?” Because I know we term the phrase security culture and I even use that, but genuinely, do you want to have two separate things within one organization or do you want it just to be this is how things get done? It might be how we’d label something for the time being, but for me personally it's all part of the organizational culture.

But really important is before anybody came and worked in your organization, most of their cultural values that underpin how they make judgments and decisions within your organization, they are all developed an embedded pre-employment, okay? By the time most people are going to college, most of their critical values are already embedded. So it's interesting. When we look at organizational culture separately, actually the underlying thing that's going to influence most of the judgments and decisions that are being made are the values that came pre-working for your company and probably pre-working at all in the sense of being employed within the industry in the way we think about things.

And I think this comes back again to what Jinan just said there understanding the cultural context within which people make decisions. Not just the cultural context within which you communicate to people. And the third part of that triangle is understanding the cultural context that you bring, because cultural lenses mean that you interpret everything very, very differently. And Jinan makes a really good point there around, for example, in the far east, how even a word has a significant different connotation to what we would have, for example, in an Anglo-Saxon country.

[00:16:03] KZ: Sure.

[00:16:04] BH: Yes.

[00:16:05] KZ: If you don't mind, I'd like to switch gears, because there's a question that just came in from Jordan, which I kind of find interesting and it's maybe not on the other end of the spectrum, but further down the spectrum. Emmanuel had asked actually about maturing their organizational or their security culture and he's kind of on that spectrum right now of making that change. This question that came in from Jordan, they asked about – I'll just read what he's he or she said. I'm stepping into the role of managing my company's security awareness training. The program I'm inheriting revolves around annual training for all employees in the fall. I'd like to do more, but it's only me for now. Where do you recommend I focus my time and energy to make an impact beyond just cyber security awareness month? So here's something that's a little bit earlier in their program.

[00:16:55] JB: Jordan, I love you. That is so awesome that you're thinking about this. That's so cool, but also so challenging. It's really challenging. And I think one of the big things for you is going to be actually selling your ideas, whatever they might be, and convincing people to take them on board. What I would personally do is I would approach this like you would any other big challenging project. So the first thing I would recommend is to try your best to conduct a survey or to really, really understand where are your gaps? Who are the stakeholders that you would like to reach within the organization? And typically to do that, just try and see if you can understand what are some of the security aspirations that your security team has, your CISO has actually. What do they want to achieve ultimately? Do they want to gain budget? Do they want to gain visibility? Are they frustrated by particular groups, cyber security behaviors? What's going on in your organization? So try and do some kind of a pulse check. If you can do a survey, that would be amazing. That should not be a difficult thing to do. It will be really fun for you. You can engage with the organization. You can raise your own brand. So it's really cool.

So start with that. Then start segmenting your organization into different – Let's call them threat communities. So the communities in your organization that, again, you want to change the behaviors of is it the senior stakeholders, is it the executive assistants, is it the marketing department? Who is it? Once you start building all of this together then I think it's a matter to start thinking of timelines and creative ideas and campaigns and things that you can do to target those stakeholders. But I really urge you to start from the business end and what are your objectives. What do you want to achieve? And everything will flow from that. Because if you end up getting your stakeholders, your business, your CISO telling you they need something, who knows? You may be able to even get budget and get funding for some of the things that you want to execute beyond cyber awareness month.

And I agree. We need to just move away from once-off annual training or cyber awareness months, really important things. So not move away from them, but extend them with other things. And there are so many, so many cool things out there on the market that you can either purchase or that you can create yourself and get really creative. The other thing that I want to say with budget constraints, if you're by yourself, absolutely consider not being by yourself anymore. So build a virtual team. Build a team of security champions to help support you. And again, those initial planting the seed stuff that you do will be super important.

[00:20:26] KZ: That's fantastic. Actually, we may circle back to that security champions topic in a bit, because I saw another question come in. But before we do that, Bruce, from you, what kind of things might you suggest for Jordan.

[00:20:37] BH: When you read Jordan's question and mentioned that inheritance. The general feeling is inheritance is obviously a horrible situation that stems from something that's been anything is a positive thing, isn't it? He's like, “Okay, this is great. We've got an inheritance.” But this is your opportunity. Just like when you start anew. You go for an interview for a job for education awareness or somebody turns around says, “We need you to educational matters.” This is your opportunity to stamp your vision on what that should be. If you don't take the opportunity, okay, then what you're doing is inheriting what somebody else has come up with and thought that they would be okay with. And if he doesn't produce the results, then the person that's inherited it is going to be the person that's going to be held responsible for it.

So I think this is by far the best opportunity to say, “I'd love to have this job, but these are the conditions.” Okay? And one of those conditions needs to be – I’ve heard the phrase education and awareness. And this goes back to Jinan’s point. But actually do you want education awareness? What is the business case for this? Okay. Because as security professionals, data protection professionals, when we heard the phrase education awareness, I think what we all want is behavior and culture. I mean this whole event is security awareness behavior and culture. Now education and awareness, okay, isn't behavior and culture, okay? It may be a constituent part that helps you move towards influencing behavior and developing an organizational culture or security's value. But on its own, it's not likely to bring around the sort of changes that ideally you want. So my recommendation would be go back and really understand from the stakeholders what are the business objectives.

Now, I mean I think it's really interesting, because when I do this type of work and people say, “Well, we want to bring around behavioral change in line with our policies.” And then you go, “Okay, so we have an awareness campaign.” And actually there's something called the Ebbinghaus curve, and the Ebbinghaus curve is a piece of research which goes back well over a century and it's about how quickly we get things. So I can make people aware, but I can pretty much guarantee that within two weeks they've forgotten about 98% of what I've made them aware of. And this is really interesting, because when we talk about having a campaign in October, and generally to leverage all the other security awareness national campaigns that are going on, most of it is forgotten. And this is why Jinan’s point is really important, which is you've got to continually drive programs and awareness and efforts to influence behavior throughout the whole of the year.

So my recommendation is – I mean I think what Jinan said about what you need to do sort of in terms of strategy, even tactics. But for me, my absolute recommendation to you is take this opportunity to define your own vision and get and the buy-in so that it becomes the vision of the organization, because this is what you're going to have to be happy doing for the whole of the period of time that you are responsible for education awareness. And the best way to be happy in your work and therefore be most productive is to actually have the vision that you have been part of setting, not something that you have inherited for somebody else. Because I'm confident in this, you're the only person. And even if you get another person to help you, okay, it's hard work. It's incredibly hard work.

And so I think you need to – I'm not sure whose that is. Sorry. And so I think it's really important right at the beginning, ask a business, help facilitate a discussion which is about defining its real objectives, because the objectives are behavior and culture, and there's some very good reasons for doing that. Then that defines a certain course of action. If the board genuinely only wants education and awareness, which means they're probably focused upon compliance. Okay, that tells you who you're working for. It tells you what you can expect. It tells you realistically you're going to be able to deliver.

[00:25:16] KZ: Very good. So we have about five minutes left, believe it or not. I'd like to get through two more questions if we could. This one actually I alluded to, which is from Chandra, because it goes back to the point you had mentioned, Jinan, about building a champion network. And Chandra was wondering. She saw your keynote. She said she really enjoyed this morning's talk. She mentioned that toward the end of your keynote you talked about building that champions network. Can you talk more specifically about what traits or abilities I should look for when recruiting employees as champions? So let's do this one as a lightning round if we could.

[00:25:54] JB: Oh! You've known me for how long? You know I can't do lightning. Okay. Let's do this quickly. You want them to be, number one, something that Bruce alluded to, passion. They need to be passionate about security. They need to have some kind of an interest in it. You would want them to be an influencer in your organization or the business unit, because ultimately their job is going to be your influence, your champion. So you do want somebody with those influencing skills ideally creative. So somebody who will supplement, “I'm not really sure how creative you are, but the more creativity, the better in this field, I'll say good at building relationships, interpersonal skills, friendly.” And you'd probably want to hope that they're looking for professional development opportunities.

A lot of people right now rightly want to get into cyber security. We want to welcome everybody to cyber security, because Lord knows what we've got currently is not 100% working. So look for people who are looking for professional development opportunities. And they have skills in something. As your security champions program matures, initially you might just want them to help you out with getting creative or pushing out some messages. But eventually, you're going to want them to get a little bit more specific and have more specific skills such as facilitating workshops, or creating some designs, or writing content. So specificity and skills. Was that lightning enough?

[00:27:35] KZ: That was super enlightening. I appreciate that.

[00:27:36] JB: Thank you.

[00:27:37] KZ: Bruce, anything you'd care to add to that?

[00:27:41] BH: I think that's a really good list of attributes that you need to find in a person. But it's all aligned to what is the actual objective of the ambassador network, and it can be different things. And I think you just have to be cognizant of the fact that ambassador networks have been used in a variety of different fields, health and safety for example, and lots of others. But different culturally, I think there's a really interesting point here. Culturally, having one person that's maybe an ambassador might seem to –Might actually clash with cultural values within the different countries. In a caste system, there will be a hierarchical structure in terms of information flows and how people respect and respond to those individuals. And actually caste systems are sort of prevalent around certain parts of the world.

And so I think another consideration to take when you're developing that cultural, ambassador network, is what are the cultures that we're going to be operating in and how well do they respond to that sort of hierarchy type of approach?

[00:28:53] KZ: Oh, very good. Yeah, that's actually important to think about for some of our multinational organizations that are tuning in today.

[00:28:58] JB: Great.

[00:29:00] KZ: There's actually this question, and thank you, Marcus, for this one, because this is actually the perfect question I think to end on today. Marcus is wondering, from all the security awareness and training programs you've seen, what is the one thing we could all be doing better?

[00:29:17] JB: Nice one, Marcus. What a good closing. I think the one thing that we can do better is to put ourselves in the shoes of the people who are receiving whatever it is that we're giving them. I think empathy is the one thing that we can do better. And I think we can get more and more and more empathetic. We can ask people what they need. We can anticipate what they need. We can really – And you can do that in every single thing that you do. You can do it in the messages that you send out to people. You can do it in understanding how much or how little they want you to approach them. I just think empathy is probably one of life's most underestimated skills right now. So I think that's absolutely my one thing that I've seen.

[00:30:14] KZ: One thing from you, Bruce?

[00:30:16] BH: So I'm going to maybe push the boundaries a little bit on this one. Most of what we do in terms of education awareness is educating people around policies and processing and procedures and our expectations of them. But a spin out of my research was actually how we could really shift the thumb in terms of going in the right direction not by improving what we're doing in terms of educational awareness campaigns. There's clearly an argument for that. I am about designing better security.

So we rely upon communication and education to drive changes in behavior around policies, process and procedures, okay? But that's actually full of lots of issues, which we've been talking about at this event. But actually if you design security in terms of policies, process and procedures with an understanding of how humans, what it means to be human, how behaviors are formed and influenced? How we can increase the likelihood that somebody's going to comply with something. Then actually what you're doing is you're tackling the root cause of the problem rather than trying to push people through the door to comply.

Now, in my view, you design better security and you do better at education and awareness campaigns. And when you do both, you achieve far greater results. And I've seen that working with large organizations, 100,000 plus and with small 30 employee organizations. If you make security a good product that people want to buy and when they experience it, they love it, okay? They'll want to come back again and buy that security product off you.

[00:32:05] CS: Thanks for checking out our ask us anything session with Jinan, Bruce and Kristin. Join us tomorrow for our next episode; Influencing Security Mindsets and Culture, featuring Donna Gomez, security risk and compliance analyst for Johnson County Government in the State of Kansas; and Tom Larson, cyber security awareness lead at the Idaho National Laboratory.

Cyber Work with Infosec is produced weekly by Infosec. The show is for cyber security professionals and those who wish to enter the cybersecurity field. New episodes of Cyber Work are released every Monday on our YouTube channel and at all the places where you like to get podcasts. To claim one free month of our Infosec Skills platform, please visit infosecinstitute.com/skills and enter the promo code cyberwork for a free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try.

Thanks for listening, and I'll see you back here tomorrow for more cyber work. Bye for now.